CVE-2025-7880 is a medium-severity vulnerability affecting Metasoft 美特软件's MetaCRM product versions up to 6.4.2. The vulnerability exists in the /business/common/sms/sendsms.jsp file, specifically involving the manipulation of the 'File' argument, which leads to an unrestricted file upload flaw. This flaw allows an unauthenticated remote attacker to upload arbitrary files to the server without proper validation or restrictions. The vulnerability does not require user interaction or authentication, making it easier to exploit remotely over the network. Although the CVSS 4.0 base score is 5.3 (medium), the exploitability is relatively straightforward due to low attack complexity and no privileges required. The impact on confidentiality, integrity, and availability is limited but non-negligible, as an attacker could upload malicious files such as web shells or malware, potentially leading to remote code execution or persistent compromise of the CRM system. The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently reported in the wild. The vulnerability disclosure is public, which increases the risk of exploitation by opportunistic attackers. The affected functionality relates to SMS sending features, which may be critical for customer relationship management and communications within organizations using MetaCRM. The lack of patch or mitigation guidance from the vendor increases the urgency for organizations to implement compensating controls.

For European organizations using MetaCRM versions up to 6.4.2, this vulnerability poses a risk of unauthorized file uploads that could lead to server compromise, data leakage, or disruption of CRM services. Given that CRM systems often contain sensitive customer data and business-critical information, exploitation could result in confidentiality breaches and operational impacts. Attackers could leverage this flaw to deploy web shells or malware, enabling persistent access or lateral movement within the network. This could also impact compliance with European data protection regulations such as GDPR if personal data is exposed or compromised. The medium severity rating suggests that while the vulnerability is not the most critical, it still represents a significant risk, especially in environments where MetaCRM is exposed to the internet or insufficiently segmented. The absence of vendor patches means European organizations must rely on internal mitigations to reduce exposure. The potential impact is higher for organizations with direct internet-facing MetaCRM deployments or those lacking robust network segmentation and monitoring.

Since no official patch or vendor response is available, European organizations should take immediate compensating measures: 1) Restrict access to the /business/common/sms/sendsms.jsp endpoint by implementing strict network-level controls such as IP whitelisting or VPN-only access to limit exposure. 2) Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts targeting the 'File' parameter. 3) Conduct thorough input validation and sanitization at the application or proxy level if possible, to prevent malicious file uploads. 4) Monitor server logs and file system changes for unauthorized uploads or anomalous activity related to the vulnerable endpoint. 5) Isolate the MetaCRM server from other critical infrastructure to limit lateral movement in case of compromise. 6) Consider disabling or restricting the SMS sending functionality temporarily if it is not essential. 7) Plan for an upgrade or migration to a patched or alternative CRM solution once available. 8) Educate security teams to be vigilant for indicators of compromise related to this vulnerability. These targeted mitigations go beyond generic advice by focusing on access restrictions, monitoring, and containment specific to the vulnerable component.